1 /*
2 * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /* @test
25 * @summary test access checking by java.lang.invoke.MethodHandles.Lookup
26 * @compile AccessControlTest.java AccessControlTest_subpkg/Acquaintance_remote.java
27 * @run testng/othervm test.java.lang.invoke.AccessControlTest
28 */
29
30 package test.java.lang.invoke;
31
32 import java.lang.invoke.*;
33 import java.lang.reflect.*;
34 import java.lang.reflect.Modifier;
35 import java.util.*;
36 import org.testng.*;
37 import org.testng.annotations.*;
38
39 import static java.lang.invoke.MethodHandles.*;
40 import static java.lang.invoke.MethodHandles.Lookup.*;
41 import static java.lang.invoke.MethodType.*;
42 import static org.testng.Assert.*;
43
44 import test.java.lang.invoke.AccessControlTest_subpkg.Acquaintance_remote;
45
46
47 /**
48 * Test many combinations of Lookup access and cross-class lookupStatic.
49 * @author jrose
50 */
51 public class AccessControlTest {
52 static final Class<?> THIS_CLASS = AccessControlTest.class;
53 // How much output?
54 static int verbosity = 0;
55 static {
56 String vstr = System.getProperty(THIS_CLASS.getSimpleName()+".verbosity");
57 if (vstr == null)
58 vstr = System.getProperty(THIS_CLASS.getName()+".verbosity");
59 if (vstr != null) verbosity = Integer.parseInt(vstr);
60 }
61
62 private class LookupCase implements Comparable<LookupCase> {
63 final Lookup lookup;
64 final Class<?> lookupClass;
65 final int lookupModes;
66 public LookupCase(Lookup lookup) {
67 this.lookup = lookup;
68 this.lookupClass = lookup.lookupClass();
69 this.lookupModes = lookup.lookupModes();
70 assert(lookupString().equals(lookup.toString()));
71 numberOf(lookupClass().getClassLoader()); // assign CL#
72 }
73 public LookupCase(Class<?> lookupClass, int lookupModes) {
74 this.lookup = null;
75 this.lookupClass = lookupClass;
76 this.lookupModes = lookupModes;
77 numberOf(lookupClass().getClassLoader()); // assign CL#
78 }
79
80 public final Class<?> lookupClass() { return lookupClass; }
81 public final int lookupModes() { return lookupModes; }
82
83 public Lookup lookup() { lookup.getClass(); return lookup; }
84
85 @Override
86 public int compareTo(LookupCase that) {
87 Class<?> c1 = this.lookupClass();
88 Class<?> c2 = that.lookupClass();
89 if (c1 != c2) {
90 int cmp = c1.getName().compareTo(c2.getName());
91 if (cmp != 0) return cmp;
92 cmp = numberOf(c1.getClassLoader()) - numberOf(c2.getClassLoader());
93 assert(cmp != 0);
94 return cmp;
95 }
96 return -(this.lookupModes() - that.lookupModes());
97 }
98
99 @Override
100 public boolean equals(Object that) {
101 return (that instanceof LookupCase && equals((LookupCase)that));
102 }
103 public boolean equals(LookupCase that) {
104 return (this.lookupClass() == that.lookupClass() &&
105 this.lookupModes() == that.lookupModes());
106 }
107
108 @Override
109 public int hashCode() {
110 return lookupClass().hashCode() + (lookupModes() * 31);
111 }
112
113 /** Simulate all assertions in the spec. for Lookup.toString. */
114 private String lookupString() {
115 String name = lookupClass.getName();
116 String suffix = "";
117 if (lookupModes == 0)
118 suffix = "/noaccess";
119 else if (lookupModes == PUBLIC)
120 suffix = "/public";
121 else if (lookupModes == (PUBLIC|MODULE))
122 suffix = "/module";
123 else if (lookupModes == (PUBLIC|MODULE|PACKAGE))
124 suffix = "/package";
125 else if (lookupModes == (PUBLIC|MODULE|PACKAGE|PRIVATE))
126 suffix = "/private";
127 else if (lookupModes == (PUBLIC|MODULE|PACKAGE|PRIVATE|PROTECTED))
128 suffix = "";
129 else
130 suffix = "/#"+Integer.toHexString(lookupModes);
131 return name+suffix;
132 }
133
134 /** Simulate all assertions from the spec. for Lookup.in:
135 * <hr>
136 * Creates a lookup on the specified new lookup class.
137 * [A1] The resulting object will report the specified
138 * class as its own {@link #lookupClass lookupClass}.
139 * <p>
140 * [A2] However, the resulting {@code Lookup} object is guaranteed
141 * to have no more access capabilities than the original.
142 * In particular, access capabilities can be lost as follows:<ul>
143 * <li>[A3] If the new lookup class differs from the old one,
144 * protected members will not be accessible by virtue of inheritance.
145 * (Protected members may continue to be accessible because of package sharing.)
146 * <li>[A4] If the new lookup class is in a different package
147 * than the old one, protected and default (package) members will not be accessible.
148 * <li>[A5] If the new lookup class is not within the same package member
149 * as the old one, private members will not be accessible.
150 * <li>[A6] If the new lookup class is not accessible to the old lookup class,
151 * using the original access modes,
152 * then no members, not even public members, will be accessible.
153 * <li>[A7] If the new lookup class for this {@code Lookup} is in the unnamed module,
154 * and the new lookup class is in a named module {@code M}, then no members in
155 * {@code M}'s non-exported packages will be accessible.
156 * <li>[A8] If the lookup for this {@code Lookup} is in a named module, and the
157 * new lookup class is in a different module, then no members, not even
158 * public members in {@code M}'s exported packages, will be accessible.
159 * [A8] (In all other cases, public members will continue to be accessible.)
160 * </ul>
161 * Other than the above cases, the new lookup will have the same
162 * access capabilities as the original. [A10]
163 * <hr>
164 */
165 public LookupCase in(Class<?> c2) {
166 Class<?> c1 = lookupClass();
167 int m1 = lookupModes();
168 int changed = 0;
169 // for the purposes of access control then treat classes in different unnamed
170 // modules as being in the same module.
171 boolean sameModule = (c1.getModule() == c2.getModule()) ||
172 (!c1.getModule().isNamed() && !c2.getModule().isNamed());
173 boolean samePackage = (c1.getClassLoader() == c2.getClassLoader() &&
174 packagePrefix(c1).equals(packagePrefix(c2)));
175 boolean sameTopLevel = (topLevelClass(c1) == topLevelClass(c2));
176 boolean sameClass = (c1 == c2);
177 assert(samePackage || !sameTopLevel);
178 assert(sameTopLevel || !sameClass);
179 boolean accessible = sameClass; // [A6]
180 if ((m1 & PACKAGE) != 0) accessible |= samePackage;
181 if ((m1 & PUBLIC ) != 0) accessible |= (c2.getModifiers() & PUBLIC) != 0;
182 if (!sameModule) {
183 if (c1.getModule().isNamed()) {
184 accessible = false; // [A8]
185 } else {
186 // Different module; loose MODULE and lower access.
187 changed |= (MODULE|PACKAGE|PRIVATE|PROTECTED); // [A7]
188 }
189 }
190 if (!accessible) {
191 // Different package and no access to c2; lose all access.
192 changed |= (PUBLIC|MODULE|PACKAGE|PRIVATE|PROTECTED); // [A6]
193 }
194 if (!samePackage) {
195 // Different package; loose PACKAGE and lower access.
196 changed |= (PACKAGE|PRIVATE|PROTECTED); // [A4]
197 }
198 if (!sameTopLevel) {
199 // Different top-level class. Lose PRIVATE and lower access.
200 changed |= (PRIVATE|PROTECTED); // [A5]
201 }
202 if (!sameClass) {
203 changed |= (PROTECTED); // [A3]
204 } else {
205 assert(changed == 0); // [A10] (no deprivation if same class)
206 }
207 if (accessible) assert((changed & PUBLIC) == 0); // [A9]
208 int m2 = m1 & ~changed;
209 LookupCase l2 = new LookupCase(c2, m2);
210 assert(l2.lookupClass() == c2); // [A1]
211 assert((m1 | m2) == m1); // [A2] (no elevation of access)
212 return l2;
213 }
214
215 @Override
216 public String toString() {
217 String s = lookupClass().getSimpleName();
218 String lstr = lookupString();
219 int sl = lstr.indexOf('/');
220 if (sl >= 0) s += lstr.substring(sl);
221 ClassLoader cld = lookupClass().getClassLoader();
222 if (cld != THIS_LOADER) s += "/loader#"+numberOf(cld);
223 return s;
224 }
225
226 /** Predict the success or failure of accessing this method. */
227 public boolean willAccess(Method m) {
228 Class<?> c1 = lookupClass();
229 Class<?> c2 = m.getDeclaringClass();
230
231 // if the lookup class is in a loose module with PUBLIC access then
232 // public members of public types in all unnamed modules can be accessed
233 if (isLooseModule(c1.getModule())
234 && (lookupModes & PUBLIC) != 0
235 && (!c2.getModule().isNamed())
236 && Modifier.isPublic(c2.getModifiers())
237 && Modifier.isPublic(m.getModifiers()))
238 return true;
239
240 LookupCase lc = this.in(c2);
241 int m1 = lc.lookupModes();
242 int m2 = fixMods(m.getModifiers());
243 // privacy is strictly enforced on lookups
244 if (c1 != c2) m1 &= ~PRIVATE;
245 // protected access is sometimes allowed
246 if ((m2 & PROTECTED) != 0) {
247 int prev = m2;
248 m2 |= PACKAGE; // it acts like a package method also
249 if ((lookupModes() & PROTECTED) != 0 &&
250 c2.isAssignableFrom(c1))
251 m2 |= PUBLIC; // from a subclass, it acts like a public method also
252 }
253 if (verbosity >= 2)
254 System.out.println(this+" willAccess "+lc+" m1="+m1+" m2="+m2+" => "+((m2 & m1) != 0));
255 return (m2 & m1) != 0;
256 }
257
258 /** Predict the success or failure of accessing this class. */
259 public boolean willAccessClass(Class<?> c2, boolean load) {
260 Class<?> c1 = lookupClass();
261 if (load && c2.getClassLoader() != null) {
262 if (c1.getClassLoader() == null) {
263 // not visible
264 return false;
265 }
266 if (c1 == publicLookup().lookupClass()) {
267 // not visible as lookup class is defined by child of the boot loader
268 return false;
269 }
270 }
271
272 // if the lookup class is in a loose module with PUBLIC access then
273 // public types in all unnamed modules can be accessed
274 if (isLooseModule(c1.getModule())
275 && (lookupModes & PUBLIC) != 0
276 && (!c2.getModule().isNamed())
277 && Modifier.isPublic(c2.getModifiers()))
278 return true;
279
280 LookupCase lc = this.in(c2);
281 int m1 = lc.lookupModes();
282 boolean r = false;
283 if (m1 == 0) {
284 r = false;
285 } else {
286 int m2 = fixMods(c2.getModifiers());
287 if ((m2 & PUBLIC) != 0) {
288 r = true;
289 } else if ((m1 & PACKAGE) != 0 && c1.getPackage() == c2.getPackage()) {
290 r = true;
291 }
292 }
293 if (verbosity >= 2) {
294 System.out.println(this+" willAccessClass "+lc+" c1="+c1+" c2="+c2+" => "+r);
295 }
296 return r;
297 }
298
299 private boolean isLooseModule(Module m) {
300 ClassLoader cl = new ClassLoader() { };
301 return m.canRead(cl.getUnnamedModule());
302 }
303 }
304
305 private static Class<?> topLevelClass(Class<?> cls) {
306 Class<?> c = cls;
307 for (Class<?> ec; (ec = c.getEnclosingClass()) != null; )
308 c = ec;
309 assert(c.getEnclosingClass() == null);
310 assert(c == cls || cls.getEnclosingClass() != null);
311 return c;
312 }
313
314 private static String packagePrefix(Class<?> c) {
315 while (c.isArray()) c = c.getComponentType();
316 String s = c.getName();
317 assert(s.indexOf('/') < 0);
318 return s.substring(0, s.lastIndexOf('.')+1);
319 }
320
321
322 private final TreeSet<LookupCase> CASES = new TreeSet<>();
323 private final TreeMap<LookupCase,TreeSet<LookupCase>> CASE_EDGES = new TreeMap<>();
324 private final ArrayList<ClassLoader> LOADERS = new ArrayList<>();
325 private final ClassLoader THIS_LOADER = this.getClass().getClassLoader();
326 { if (THIS_LOADER != null) LOADERS.add(THIS_LOADER); } // #1
327
328 private LookupCase lookupCase(String name) {
329 for (LookupCase lc : CASES) {
330 if (lc.toString().equals(name))
331 return lc;
332 }
333 throw new AssertionError(name);
334 }
335
336 private int numberOf(ClassLoader cl) {
337 if (cl == null) return 0;
338 int i = LOADERS.indexOf(cl);
339 if (i < 0) {
340 i = LOADERS.size();
341 LOADERS.add(cl);
342 }
343 return i+1;
344 }
345
346 private void addLookupEdge(LookupCase l1, Class<?> c2, LookupCase l2) {
347 TreeSet<LookupCase> edges = CASE_EDGES.get(l2);
348 if (edges == null) CASE_EDGES.put(l2, edges = new TreeSet<>());
349 if (edges.add(l1)) {
350 Class<?> c1 = l1.lookupClass();
351 assert(l2.lookupClass() == c2); // [A1]
352 int m1 = l1.lookupModes();
353 int m2 = l2.lookupModes();
354 assert((m1 | m2) == m1); // [A2] (no elevation of access)
355 LookupCase expect = l1.in(c2);
356 if (!expect.equals(l2))
357 System.out.println("*** expect "+l1+" => "+expect+" but got "+l2);
358 assertEquals(l2, expect);
359 }
360 }
361
362 private void makeCases(Lookup[] originalLookups) {
363 // make initial set of lookup test cases
364 CASES.clear(); LOADERS.clear(); CASE_EDGES.clear();
365 ArrayList<Class<?>> classes = new ArrayList<>();
366 for (Lookup l : originalLookups) {
367 CASES.add(new LookupCase(l));
368 classes.remove(l.lookupClass()); // no dups please
369 classes.add(l.lookupClass());
370 }
371 System.out.println("loaders = "+LOADERS);
372 int rounds = 0;
373 for (int lastCount = -1; lastCount != CASES.size(); ) {
374 lastCount = CASES.size(); // if CASES grow in the loop we go round again
375 for (LookupCase lc1 : CASES.toArray(new LookupCase[0])) {
376 for (Class<?> c2 : classes) {
377 LookupCase lc2 = new LookupCase(lc1.lookup().in(c2));
378 addLookupEdge(lc1, c2, lc2);
379 CASES.add(lc2);
380 }
381 }
382 rounds++;
383 }
384 System.out.println("filled in "+CASES.size()+" cases from "+originalLookups.length+" original cases in "+rounds+" rounds");
385 if (false) {
386 System.out.println("CASES: {");
387 for (LookupCase lc : CASES) {
388 System.out.println(lc);
389 Set<LookupCase> edges = CASE_EDGES.get(lc);
390 if (edges != null)
391 for (LookupCase prev : edges) {
392 System.out.println("\t"+prev);
393 }
394 }
395 System.out.println("}");
396 }
397 }
398
399 @Test public void test() {
400 makeCases(lookups());
401 if (verbosity > 0) {
402 verbosity += 9;
403 Method pro_in_self = targetMethod(THIS_CLASS, PROTECTED, methodType(void.class));
404 testOneAccess(lookupCase("AccessControlTest/public"), pro_in_self, "find");
405 testOneAccess(lookupCase("Remote_subclass/public"), pro_in_self, "find");
406 testOneAccess(lookupCase("Remote_subclass"), pro_in_self, "find");
407 verbosity -= 9;
408 }
409 Set<Class<?>> targetClassesDone = new HashSet<>();
410 for (LookupCase targetCase : CASES) {
411 Class<?> targetClass = targetCase.lookupClass();
412 if (!targetClassesDone.add(targetClass)) continue; // already saw this one
413 String targetPlace = placeName(targetClass);
414 if (targetPlace == null) continue; // Object, String, not a target
415 for (int targetAccess : ACCESS_CASES) {
416 MethodType methodType = methodType(void.class);
417 Method method = targetMethod(targetClass, targetAccess, methodType);
418 // Try to access target method from various contexts.
419 for (LookupCase sourceCase : CASES) {
420 testOneAccess(sourceCase, method, "findClass");
421 testOneAccess(sourceCase, method, "accessClass");
422 testOneAccess(sourceCase, method, "find");
423 testOneAccess(sourceCase, method, "unreflect");
424 }
425 }
426 }
427 System.out.println("tested "+testCount+" access scenarios; "+testCountFails+" accesses were denied");
428 }
429
430 private int testCount, testCountFails;
431
432 private void testOneAccess(LookupCase sourceCase, Method method, String kind) {
433 Class<?> targetClass = method.getDeclaringClass();
434 String methodName = method.getName();
435 MethodType methodType = methodType(method.getReturnType(), method.getParameterTypes());
436 boolean isFindOrAccessClass = "findClass".equals(kind) || "accessClass".equals(kind);
437 boolean willAccess = isFindOrAccessClass ?
438 sourceCase.willAccessClass(targetClass, "findClass".equals(kind)) : sourceCase.willAccess(method);
439 boolean didAccess = false;
440 ReflectiveOperationException accessError = null;
441 try {
442 switch (kind) {
443 case "accessClass":
444 sourceCase.lookup().accessClass(targetClass);
445 break;
446 case "findClass":
447 sourceCase.lookup().findClass(targetClass.getName());
448 break;
449 case "find":
450 if ((method.getModifiers() & Modifier.STATIC) != 0)
451 sourceCase.lookup().findStatic(targetClass, methodName, methodType);
452 else
453 sourceCase.lookup().findVirtual(targetClass, methodName, methodType);
454 break;
455 case "unreflect":
456 sourceCase.lookup().unreflect(method);
457 break;
458 default:
459 throw new AssertionError(kind);
460 }
461 didAccess = true;
462 } catch (ReflectiveOperationException ex) {
463 accessError = ex;
464 }
465 if (willAccess != didAccess) {
466 System.out.println(sourceCase+" => "+targetClass.getSimpleName()+(isFindOrAccessClass?"":"."+methodName+methodType));
467 System.out.println("fail "+(isFindOrAccessClass?kind:"on "+method)+" ex="+accessError);
468 assertEquals(willAccess, didAccess);
469 }
470 testCount++;
471 if (!didAccess) testCountFails++;
472 }
473
474 static Method targetMethod(Class<?> targetClass, int targetAccess, MethodType methodType) {
475 assert targetAccess != MODULE;
476 String methodName = accessName(targetAccess)+placeName(targetClass);
477 if (verbosity >= 2)
478 System.out.println(targetClass.getSimpleName()+"."+methodName+methodType);
479 try {
480 Method method = targetClass.getDeclaredMethod(methodName, methodType.parameterArray());
481 assertEquals(method.getReturnType(), methodType.returnType());
482 int haveMods = method.getModifiers();
483 assert(Modifier.isStatic(haveMods));
484 assert(targetAccess == fixMods(haveMods));
485 return method;
486 } catch (NoSuchMethodException ex) {
487 throw new AssertionError(methodName, ex);
488 }
489 }
490
491 static String placeName(Class<?> cls) {
492 // return "self", "sibling", "nestmate", etc.
493 if (cls == AccessControlTest.class) return "self";
494 String cln = cls.getSimpleName();
495 int under = cln.lastIndexOf('_');
496 if (under < 0) return null;
497 return cln.substring(under+1);
498 }
499 static String accessName(int acc) {
500 switch (acc) {
501 case PUBLIC: return "pub_in_";
502 case PROTECTED: return "pro_in_";
503 case PACKAGE: return "pkg_in_";
504 case PRIVATE: return "pri_in_";
505 }
506 assert(false);
507 return "?";
508 }
509 // MODULE not a test case at this time
510 private static final int[] ACCESS_CASES = {
511 PUBLIC, PACKAGE, PRIVATE, PROTECTED
512 };
513 /** Return one of the ACCESS_CASES. */
514 static int fixMods(int mods) {
515 mods &= (PUBLIC|PRIVATE|PROTECTED);
516 switch (mods) {
517 case PUBLIC: case PRIVATE: case PROTECTED: return mods;
518 case 0: return PACKAGE;
519 }
520 throw new AssertionError(mods);
521 }
522
523 static Lookup[] lookups() {
524 ArrayList<Lookup> tem = new ArrayList<>();
525 Collections.addAll(tem,
526 AccessControlTest.lookup_in_self(),
527 Inner_nestmate.lookup_in_nestmate(),
528 AccessControlTest_sibling.lookup_in_sibling());
529 if (true) {
530 Collections.addAll(tem,Acquaintance_remote.lookups());
531 } else {
532 try {
533 Class<?> remc = Class.forName("test.java.lang.invoke.AccessControlTest_subpkg.Acquaintance_remote");
534 Lookup[] remls = (Lookup[]) remc.getMethod("lookups").invoke(null);
535 Collections.addAll(tem, remls);
536 } catch (ReflectiveOperationException ex) {
537 throw new LinkageError("reflection failed", ex);
538 }
539 }
540 tem.add(publicLookup());
541 tem.add(publicLookup().in(String.class));
542 tem.add(publicLookup().in(List.class));
543 return tem.toArray(new Lookup[0]);
544 }
545
546 static Lookup lookup_in_self() {
547 return MethodHandles.lookup();
548 }
549 public static void pub_in_self() { }
550 protected static void pro_in_self() { }
551 static /*package*/ void pkg_in_self() { }
552 private static void pri_in_self() { }
553
554 static class Inner_nestmate {
555 static Lookup lookup_in_nestmate() {
556 return MethodHandles.lookup();
557 }
558 public static void pub_in_nestmate() { }
559 protected static void pro_in_nestmate() { }
560 static /*package*/ void pkg_in_nestmate() { }
561 private static void pri_in_nestmate() { }
562 }
563 }
564 class AccessControlTest_sibling {
565 static Lookup lookup_in_sibling() {
566 return MethodHandles.lookup();
567 }
568 public static void pub_in_sibling() { }
569 protected static void pro_in_sibling() { }
570 static /*package*/ void pkg_in_sibling() { }
571 private static void pri_in_sibling() { }
572 }
573
574 // This guy tests access from outside the package:
575 /*
576 package test.java.lang.invoke.AccessControlTest_subpkg;
577 public class Acquaintance_remote {
578 public static Lookup[] lookups() { ...
579 }
580 ...
581 }
582 */